The $1.4 billion hack on Bybit is not the biggest abuse in cryptography history, but a major test of the industry’s crisis management capabilities, highlighting its maturity since the collapse of FTX.
On February 21, North Korean Lazarus Group initially sent chills across the crypto world with $1.4 billion in ether (ETH) and associated tokens, but was quickly squashed as the industry managed the Bibit and managed the Fallout.
Let’s see how the attack unfolded, how Bibit responded, and where the stolen funds are moving.
Source: Elliptic
February 21: Bybit Hacking
The Bybit Hack was first discovered by Onchain Sleuth Zachxbt. Zachxbt warned against the exchange of blacklist addresses and platforms associated with the hack.
Soon after, Bybit co-founder and CEO Ben Zhou reviewed the exploit and began providing updates and information regarding the violation.
Initially after his death from Chain Orisis, Lazarus said he had carried out a phishing attack to access the exchange’s funds, but the analysis was later updated, reporting that the hackers gained control of the secure developer’s computer, rather than compromising on the Buybit system.
The attacker “reroutes” 401,000 ETH worth $1.14 billion at the time of exploiting, passing through a network of intermediate wallets.
A complex network of wallets, swaps and cross-chains is used to blur the funds used by hackers. Source: Chain Analysis
February 21: BYBIT ensures your wallet is safe and Ethena Solvency
The exchange immediately assures users that the remaining wallets are safe, and announced just minutes after Zhou confirmed the exploit that “all other bi-bit cold wallets remain completely safe.” All our client funds are safe and our business continues as usual without any disruption. ”
A few hours after the hack, the customer’s drawers remained open. In a Q&A session, Zhou said that the exchange had approved and processed 70% of its withdrawal requests at that time.
Decentralized finance platform Ecena told users that the stubcoin USDE, which supports its yield, is still a solvent after hacking. The platform reportedly had a $30 million exposure to financial derivatives on Bibit, but was able to offset the losses through the reserve fund.
February 22: Crypto Industry lends Bybit Hants Hand and hackers blacklisted
Many crypto exchanges reached out to help Bibit. Bitget CEO Gracy Chen has announced that her exchange has lent around 40,000 ETH bybit (approximately $95 million at the time).
Crypto.com CEO Kris Marszalek said he would direct his company’s security team to provide assistance.
Other exchanges and costumes have begun to freeze funds related to the hack. Tether CEO Paolo Ardoino posted that X had frozen 181,000 USDT (USDT) connected to a hack. Polygon’s Chief Information Security Officer, Mudit Gupta, said the Mantle team could recover approximately $43 million in funding from hackers.
Related: Adam Backslam “EVM Miss Design” as the root cause of a Bibit hack
Zhou posted a thank you note to X and tagged many notable crypto companies that said they supported Bybit, including Bitget, Galaxy Digital, Ton Foundation, and Tether.
Source: Ben Zhou
Bybit has also announced a prize program that includes rewards of up to 10% of the funds recovered, earning up to $140 million.
February 22: Running on retreat, Lazarus moves funds
Following the incident, the total assets value of the exchange exceeded $5.3 billion due to user withdrawal.
Despite the retreat, the exchange is delayed, but remains the withdrawal request open, and Bybit’s independent certification auditor Hacken has confirmed that the reserves still exceed their debt.
Meanwhile, the Blockchain Trail showed that Lazarus continued to split the funds into brokerage wallets, further obfuscating their movements.
https://www.youtube.com/watch?v=kynq5yofkwo
In one example, blockchain analytics firm Lookonchain said that Lazarus has begun washing his funds into a wallet that identified nearly $30 million worth of 10,000 ETH as “Bybit Exploiter 54.”
Blockchain security company Elliptic writes that it is likely that the fund is heading towards a mixer. This is a service that hides links between blockchain transactions.
February 23: Exchange, Bybit continues to restore funds, and blacklists are expanding
Blockchain analysts Zachxbt and Nick Bax both claimed that hackers were able to wash their funds by not knowing about the customer’s crypto exchange. Zachxbt claimed that the exchange had washed $35 million in funds and then accidentally sent 34 ETH to another exchange hot wallet.
Source: Nick Bax
Extle denied washing up North Korea’s funds, but approved the process of “minority of the funds from Bibit Hack.”
The funds “finally entered our address 0xf1da173228fcf015f43f3ea15abbbbb51f0d8f1123This is an isolated case and the fees donated to the public goods, the only part that will be processed in our exchange,” the exchange said.
To identify wallets involved in the incident, Bybit has released a blacklist wallet application programming interface (API). The exchange said the tool would support white hat hackers with the aforementioned prize program.
Related: Photo: Bybit’s record-breaking $1.4 billion hack
Bibit was also able to recover ether reserves to almost half the half that was before hacking. This mainly includes spot purchases in commercial transactions after the incident, as well as ether from other exchanges.
February 24: Lazarus discovered in Dex, Bibit closes ETH gap
Blockchain detectives have continued to monitor the flow of funds currently associated with Lazarus. Arkham Intelligence observed addresses associated with distributed exchange (DEXS) hackers trying to exchange stolen cryptography with DAI (DAI).
The wallet, which receives a portion of the ETH stolen from BYBit, reportedly interacted with Sky Protocol, Uniswap and Okx Dex. According to Trading Platform LMK, the hackers were able to exchange at least $3.64 million.
Unlike other stability such as USDT and USDC (USDC), Dai cannot be frozen.
Zhou announced that Bybit has “closed the ETH gap completely,” which means that $1.4 billion in ether was lost in the hack. His announcement was followed by a report of third-party certification.
Bybit has returned the ether reserve to pre-hack level. Source: DarkFost
February 25th: War with Lazarus
Bybit has launched a dedicated website for recovery work. Zhou promoted while calling on the cryptocurrency community to unite with the Lazarus group. The site distinguishes between those who helped and those who are reportedly refused to cooperate.
Almost $95 million of reported funds have been transferred to exchange. Source: Lazarus Bounty
Emphasises the individuals and groups that helped to freeze stolen funds, and awards an equally 10% bounty between reporters and the fund-free entities.
It also claims it has been naming the exchange as the only platform that refused to assist with it, and ignored 1,061 reports.
February 26: FBI reviews report on Lazarus and safe compromise
The US Federal Bureau of Investigation (FBI) has confirmed widely reported suspicions that North Korean hackers have naming the trader-trader actor, better known as the Lazaro Group, among cybersecurity circles, and used a secondary hand exploit.
In the public services announcement, the FBI urged the private sector, including node operators, exchanges and bridges, to block transactions from Lazarus-related addresses.
Source: Pascal Caversacio
The FBI has identified 51 suspicious blockchain addresses linked to the hack, while cybersecurity company Elliptic has identified more than 11,000 intermediaries.
Meanwhile, post-hack investigations found that compromised safewallet credentials lead to misuse, rather than via Bibit’s infrastructure, as previously reported.
February 27th: Saw Chain Volume Explosion
Security company TRM Labs flagged the speed of Bibit hacker’s laundry efforts as “particularly surprising,” and by February 26, the hackers moved through over $400 million wallets, crypto conversions, cross-chain bridges and DEXS. TRM also noted that most of the stolen revenue has been converted to Bitcoin (BTC), a tactic commonly linked to Lazarus. Most converted Bitcoins remain parked.
Meanwhile, Arkham Intelligence discovered that Lazarus moved at least $240 million in ETH via the Crosschain Protocol Thorchain by swapping for Bitcoin. Cointelegraph discovered Thorchain’s total swap volume exploded in 48 hours, exceeding $1 billion.
Thorchain developer Pluto has announced an immediate departure from the project after a vote to block transactions linked to North Korean hackers was overturned. Meanwhile, Lookonchain reported that hackers had washed 54% of the stolen funds.
Bibit hack means cipher meaning
While Bibit could have fully recovered the lost reserves, the incident raised greater questions about the blockchain industry and how to deal with hacking.
Ethereum developer Tim Beiko quickly rejected the call to roll back the Ethereum Network to refund Bybit. He said the Huck was fundamentally different from previous cases, adding that “the interconnected nature of Ethereum and the solution of off-chain economic transactions make this manageable today.”
The fallout from the Bibit Exploit suggests that the Lazarus Group is more efficient in moving blockchain-based funds. TRM Labs investigators suspect this could indicate an improvement in North Korea’s crypto infrastructure or an enhanced ability to absorb illegal funds in underground financial networks.
As the values locked on the blockchain platform grow, so does the sophistication of attacks. The industry is a major target for North Korean national hackers who are reportedly focusing revenues to fund their arms programs.
Magazine: Eth Whale’s Wild $680,000 “Mind Control” Claim, Bitcoin Power Theft: Asia Express
